The NIPP was published in 2006. It established a partnership structure for coordination across 18 CIKR Sectors, and a risk management framework to identify assets, systems, networks and functions whose loss or compromise pose the greatest risk. The NIPP was updated in 2009 and again in December 2013, in part, to reflect changes in federal cybersecurity policy since 2009. It identifies the roles and responsibilities of DHS, sector-specific agencies, and private sector partners.[1]

The overarching goal of the NIPP is to:

“

Build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our Nation's CIKR and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency.

”

The NIPP provides the unifying structure for the integration of existing and future CIKR protection efforts and resiliency strategies into a single national program to achieve this goal. The NIPP framework supports the prioritization of protection and resiliency initiatives and investments across sectors to ensure that government and private sector resources are applied where they offer the most benefit for mitigatingrisk by lessening vulnerabilities, deterring threats, and minimizing the consequences of terrorist attacks and other man-made and natural disasters.

The NIPP risk management framework recognizes and builds on existing public and private sector protective programs and resiliency strategies in order to be cost-effective and to minimize the burden on CIKR owners and operators.

The NIPP provides the framework that defines a set of flexible processes and mechanisms that these CIKR partners will use to develop and implement the national program to protect CIKR across all sectors over the long term.

In accordance with HSPD-7, the NIPP delineates the roles and responsibilities for partners in carrying out CIKR protection activities while respecting and integrating the authorities, jurisdictions, and prerogatives of these partners.

State, Local, Tribal, and Territorial Governments: Develop and implement a CIKR protection program, in accordance with the NIPP risk management framework, as a component of their overarching homeland security programs.

Regional Partners: Use partnerships that cross jurisdictional and sector boundaries to address CIKR protection within a defined geographical area.

Boards, Commissions, Authorities, Councils, and Other Entities: Perform regulatory, advisory, policy, or business oversight functions related to various aspects of CIKR operations and protection within and across sectors and jurisdictions.

The cornerstone of the NIPP is its risk management framework. It details the roles and responsibilities for DHS, SSAs, and other federal, state, regional, local, tribal, territorial, and private sector partners implementing the NIPP, including how they should use risk management principles to prioritize protection activities within and across sectors.

Risk is the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. Simply stated, risk is influenced by the nature and magnitude of a threat, the vulnerabilities to that threat, and the consequences that could result. Risk is an important means of prioritizing mitigation efforts for partners ranging from facility owners and operators to Federal agencies.

The NIPP risk management framework (see Diagram 2) integrates and coordinates strategies, capabilities, and governance to enable risk-informed decision-making related to the Nation’s CIKR. This framework is applicable to threats such as natural disasters, man-made safety hazards, and terrorism, although different information and methodologies may be used to understand each.

Identify assets, systems, and networks: Develop an inventory of the assets, systems, and networks, including those located outside the United States, that make up the nation’s CIKR or contribute to the critical functionality therein, and collect information pertinent to risk management that takes into account the fundamental characteristics of each sector.

Assess risks: Evaluate the risk, taking into consideration the potential direct and indirect consequences of a terrorist attack or other hazards (including, as capabilities mature, seasonal changes in the consequences and dependencies and interdependencies associated with each identified asset, system, or network), known vulnerabilities to various potential attack methods or other significant hazards, and general or specific threat information.

Measure effectiveness: Use metrics and other evaluation procedures at the appropriate national, State, local, regional, and sector levels to measure progress and assess the effectiveness of the CIKR protection programs.

This process features a continuous feedback loop, which allows the federal government and its CIKR partners to track progress and implement actions to improve national CIKR protection and resiliency over time. The physical, cyber, and human elements of CIKR should be considered in tandem in each aspect of the risk management framework.

The NIPP framework calls for CIKR partners to assess risk from any scenario as a function of consequence, vulnerability, and threat, as defined below. It is important to think of risk as influenced by the nature and magnitude of a threat, the vulnerabilities to that threat, and the consequences that could result:

R = f (C,V,T)

Consequence: The effect of an event, incident, or occurrence; reflects the level, duration, and nature of the loss resulting from the incident. For the purposes of the NIPP, consequences are divided into four main categories: public health and safety (i.e., loss of life and illness); economic (direct and indirect); psychological; and governance/mission impacts.

Vulnerability: Physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. In calculating the risk of an intentional hazard, a common measure of vulnerability is the likelihood that an attack is successful, given that it is attempted.

Threat: Natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. For the purpose of calculating risk, the threat of an intentional hazard is generally estimated as the likelihood of an attack being attempted by an adversary; for other hazards, threat is generally estimated as the likelihood that a hazard will manifest itself. In the case of terrorist attacks, the threat likelihood is estimated based on the intent and capability of the adversary.

DHS has identified a number of risk assessment characteristics and data requirements to produce results that enable cross-sector risk comparisons; these are termed core criteria. These features provide a guide for improving existing methodologies or modifying them so that the investment and expertise they represent can be used to support national-level, comparative risk assessment, investments, incident response planning, and resource prioritization.